Introduction

CVE Abstraction Content Decisions (CDs) provide guidelines about when to combine multiple reports, bugs, and/or attack vectors into a single CVE name ("MERGE"), and when to create separate CVE names ("SPLIT").

This document:

Discusses the design goals of CDs and their role in managing vulnerability information

Content Decisions in the Context of Vulnerability Information

The following main points should be remembered while reviewing and applying CVE content decisions.

1) VULNERABILITY ANALYSTS USE WIDELY VARYING CRITERIA FOR "SPLITTING" AND "MERGING" MULTIPLE VULNERABILITIES OR VULNERABILITY REPORTS. These criteria are often valid and sufficient for specific cases, but they are not necessarily usable or consistent across a large number of issues.

2) Because of multiple design goals and the varying criteria used in the community, as described in (1) above, THERE ARE SOME CASES IN WHICH CDs DO NOT NECESSARILY FOLLOW "NATURAL" LOGIC.

3) THE QUALITY OF AVAILABLE INFORMATION IS THE PRIMARY FACTOR IN PROPER USE OF CDs, but unfortunately, the quality varies widely across vulnerabilities, and also within different phases in the disclosure and resolution of a single vulnerability.

4) While the current CDs have arisen out of three years of experimentation and tinkering, followed by another three years of informal validation, CDs ARE STILL OCCASIONALLY SUBJECT TO A JUDGMENT CALL BY THE ANALYST.

AB1) If S1 and S2 are different types of bugs, then SPLIT. If one bug type is known but the other is unknown, then they are SPLIT. If both bug types are unknown, then they are treated as the same.

ISSUE: Sometimes (1) there is not sufficient information to determine the bug types, or (2) at the lowest level of detail, the terminology for bug types is nonexistent or inconsistent at best. The best available information is used.

AB2) If S1 and S2 are the same type of bug, but S1 appears in some version that S2 does not (or vice versa), then SPLIT.

ISSUE: Sometimes (1) even the vendor is not sure about the earliest version that is affected by a particular bug, or (2) the report does not contain sufficient information regarding the full range of affected versions. The best available information is used.

AB3) If S1 and S2 are the same type of bug, and they affect the same versions, then MERGE.

ISSUE: Same issues as AB1.

AB4) If there are multiple products, vendors, distributors, or users of the same core codebase, then DO NOT SPLIT based solely on distinguishing between products.

Note: This CD needs more clarity.

ISSUE: Large-scale, suite-based testing (i.e., "PROTOS" style) can affect many different products with unknown codebase relationships, uncertain bug types, and a large number of test cases. Suite-based testing, while highly effective, poses unique challenges for content decisions because of the large number of vulnerabilities that are normally discovered and reported. In addition, codebase relationships can be difficult to determine.

Common Abstraction Facets of Non-CVE Vulnerability Sources

The following facets of a vulnerability are often used by other information sources to conduct their own SPLIT or MERGE decisions, in ways that may differ from CVE.

1) Different attack vectors within the same executable.

For example, a Web application with a SQL injection vulnerability in parameter "X" and parameter "Y" might be SPLIT by some sources or MERGED by other sources. Intrusion detection systems can fall into this category.

In CVE, this was historically referred to as CD:SF-LOC, but that has been superseded by the Abstraction Guidelines.

2) Different executables, same attack vector.

For example: programs "X" and "Y" are in the same product. Both might both be vulnerable to a buffer overflow in a command line "-arg" parameter.

In CVE, this was historically covered by CD:SF-EXEC, but that has been superseded by the Abstraction Guidelines.

3) Different executables, different attack vectors.

For example, programs "X" and "Y" are in the same product. Both are subject to directory traversal, but "X" is exploitable via the "file" parameter, while "Y" is vulnerable via the "config" parameter.

In CVE, this was historically covered by CD:SF-EXEC, but that has been superseded by the Abstraction Guidelines.

4) Different product, same vendor.

Some sources, especially those geared towards enterprise security and notification, will SPLIT issues based on products, even if the bug is the same.

In CVE, this was partially covered by CD:SF-CODEBASE, but that has been replaced by the Abstraction Guidelines.

5) Different vulnerability type.

Many sources, especially databases, will SPLIT based on the type of vulnerability, e.g., SQL injection will receive a separate identifier from a buffer overflow.

CVE uses this facet in its Abstraction Guidelines.

6) Different products, different vendors, same standard.

Consider a standard protocol, file format, or algorithm, in which there are multiple implementations for that standard. It is very common for separate products to be vulnerable to the same bug. For example, over 20 FTP servers have been subject to buffer overflows in the USER name.

CVE tries to distinguish between separate codebases, but large-scale, multi-implementation analysis efforts can make this difficult.

7) Same patch.

Some sources provide a single identifier for a single patch, even if it is for multiple vulnerability types. Software vendor advisories often fall into this category.

7.5 Real-World Examples

1) AB1: different bug types, same executable

CVE-2000-0696: The administration interface for the dwhttpd web server in Solaris AnswerBook2 does not properly authenticate requests to its supporting CGI scripts, which allows remote attackers to add user accounts to the interface by directly calling the admin CGI script.

CVE-2002-0470: PHPNetToolpack 0.1 relies on its environment’s PATH to find and execute the traceroute program, which could allow local users to gain privileges by inserting a Trojan horse program into the search path.

CVE-2004-0399: Stack-based buffer overflow in Exim 3.35, and other versions before 4, when the sender_verify option is true, allows remote attackers to cause a denial of service and possibly execute arbitrary code during sender verification.

CVE-2004-0400: Stack-based buffer overflow in Exim 4 before 4.33, when the headers_check_syntax option is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code during the header check.

4) AB2: different versions

CVE-2003-0421: Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via an MS-DOS device name (e.g., AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0502.

CVE-2003-0502: Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to cause a denial of service (crash) via a .. (dot dot) sequence followed by an MS-DOS device name (e.g., AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0421.

5) AB2: different versions

CVE-2004-0085: Unknown vulnerability in the Mail application for Mac OS X 10.1.5 and 10.2.8 with unknown impact, a different vulnerability than CVE-2004-0086.

CVE-2004-0086: Unknown vulnerability in the Mail application for Mac OS X 10.3.2 with unknown impact, a different vulnerability than CVE-2004-0085.

9) AB3: same bugs in the same executable. Notice how this description has less specific details than the description for the BitchX and Php-Nuke issues, but in all cases, a single CVE identifier was assigned. This is a demonstration of the consistency of CVE CDs.

CVE-2004-0886: Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls.

CVE-2004-1050: Heap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility.

13) AB3: same bug types in the same executable.

CVE-2003-0536: Directory traversal vulnerability in phpSysInfo 2.1 and earlier allows attackers with write access to a local directory to read arbitrary files as the PHP user or cause a denial of service via .. (dot dot) sequences in the (1) template or (2) lng parameters.

CVE-1999-0932: Mediahouse Statistics Server allows remote attackers to read the administrator password, which is stored in cleartext in the ss.cfg file.

3) AB1: different bug types, same executable

CVE-2004-0393: Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 allows remote attackers to execute arbitrary code via format string specifiers in a buffer that can not be resolved, which is provided to the syslog function.

CVE-2002-0578: Buffer overflow in 4D WebServer 6.7.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP request with Basic Authentication containing a long (1) user name or (2) password.

CVE-2004-0832: The (1) ntlm_fetch_string and (2) ntlm_get_string functions in Squid 2.5.6 and earlier, with NTLM authentication enabled, allow remote attackers to cause a denial of service (application crash) via an NTLMSSP packet that causes a negative value to be passed to memcpy.

CVE-2004-0941: Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CVE-2004-0990.

AB3: MERGE on same bug types within the same executable and across multiple executables.

CVE-2001-1402: Bugzilla before 2.14 does not properly escape untrusted parameters, which could allow remote attackers to conduct unauthorized activities via cross-site scripting (CSS) and possibly SQL injection attacks on (1) the product or output form variables for reports.cgi, (2) the voteon, bug_id, and user variables for showvotes.cgi, (3) an invalid email address in createaccount.cgi, (4) an invalid ID in showdependencytree.cgi, (5) invalid usernames and other fields in process_bug.cgi, and (6) error messages in buglist.cgi.

AB1 and AB3: MERGE on same bug types in multiple executables, but SPLIT on different bug types.

CVE-2003-0487: Multiple buffer overflows in Kerio MailServer 5.6.3 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via (1) a long showuser parameter in the do_subscribe module, (2) a long folder parameter in the add_acl module, (3) a long folder parameter in the list module, and (4) a long user parameter in the do_map module.

AB2 and AB3: SPLIT on different versions (AB2) but MERGE on same bug types within the same versions (AB3)

CVE-2004-0888: Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by CVE-2004-0889.

CVE-2004-0889: Multiple integer overflows in xpdf 3.0, and other packages that use xpdf code such as CUPS, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by CVE-2004-0888.